An End-to-End VPN session provides complete privacy and data integrity for enterprise users who access the enterprise network from outside the intranet. However, because packets are encrypted end-to-end from the client to the enterprise VPN gateway, it is not possible for Network Service Providers (NSPs) to provide value-added services to these enterprise users, as such services require visibility into the packet headers and application data. A Network-based VPN allows termination of the user VPN session at an IP service switch (IPSS) within the NSP's network. Another VPN session from the IPSS to the enterprise VPN gateway is used to carry traffic from the IPSS to the enterprise. Because packet headers and application data are visible in the clear at the IPSS, value-added services can be provided by the IPSS.
The advantages of Network-based VPN are two fold. First, data aggregation and scalability are achieved by terminating all VPN sessions from the clients at the IPSS and transporting data packets over a single VPN session from the IPSS to the Enterprise VPN gateway. Since the Enterprise VPN gateway needs to terminate only one VPN session, even when the number of VPN users to the enterprise increases, the amount of VPN session information, including Security Association (SA) information, that needs to be maintained at the VPN gateway does not increase. Thus, data aggregation for VPN sessions in itself is a value-added service that an NSP can offer to its customers.
Second, by being able to decrypt the packet at the IPSS, value-added services, such as firewall service, internet-offload, caching service, among others, which require packet and application header inspection become possible. These services increase the revenue opportunities for NSPs and also benefit enterprises because they are able to outsource these services to the NSP. It is noted that with End-to-End VPNs, such services are not possible because the headers are not visible in the network.
The Network-based VPN approach allows the data transported between the VPN client and the Enterprise VPN gateway to be visible in the clear at the ISPP. Accordingly, enterprises need to be able to trust the NSP to preserve the integrity and privacy of this data within the IPSS. This appears to be a major concern that inhibits the enterprises from choosing a Network-based VPN service.
Moreover, VPN client software residing in the client device (e.g., desktop, PDA, laptop, mobile device, and the like) is only able to create a single VPN tunnel to either an Enterprise gateway (end-to-end VPN) or an IPSS (Network-based VPN). Accordingly, as the End-to-End VPN service and Network-based VPN service are currently offered, an enterprise has a limited option to decide on using either the End-to-End VPN service or the Network-based VPN service for all its users, as well as for all applications that a user accesses within the enterprise intranet.